search

Traverse universe

Security Summer School

Info
Details

Category

Web Exploitation

Difficulty

Easy

hashtag
Challenge Overview

We've got a website that seems to work unproperly. Clicking on every planet reveals nothing but the photo of the planet itself. However, this doesn’t help us reaching the flag.

Also, it's important to observe here that when we click on a planet, we're redirected to the planet parameter, like so: planet=mercury/mercury.php (for example).

So we're gonna analyze the page source again. (When you don't know what to do, always check for the cookies, page source, and fuzzing.)

We see a weird code in one line. If we try to understand this, we get:

<!--
<script>
var _0x5c09 = ['dot-php', 'earth\x20', 'log', 'slash\x20', 'dot-dot-slash\x20', 'flag\x20', 'NASA\x20'];

(function(_0xe916b7, _0x5c0933) {
  var _0x34f1b0 = function(_0x4a989c) {
    while (--_0x4a989c) {
      _0xe916b7['push'](_0xe916b7['shift']());
    }
  };
  _0x34f1b0(++_0x5c0933);
}(_0x5c09, 0xa1));

var _0x34f1 = function(_0xe916b7, _0x5c0933) {
  _0xe916b7 = _0xe916b7 - 0x0;
  var _0x34f1b0 = _0x5c09[_0xe916b7];
  return _0x34f1b0;
};

var algf = _0x34f1('0x4') + _0x34f1('0x1') + _0x34f1('0x3') + 'moon\x20' + 'slash\x20' + _0x34f1('0x6') + _0x34f1('0x3') + _0x34f1('0x5') + _0x34f1('0x0');

console[_0x34f1('0x2')](algf);
</script>
-->

This basically means that _0x5c09 is a string array with words, and algf is the entire path which should lead to the flag.

So we're now looking only at these 2 lines:

  • _0x34f1('0x4') returns the index 4 element from _0x5c09. → 'dot-dot-slash '../

  • Also, \x20 means space in hex code.

Putting the pieces together, we obtain the full path: ../earth/moon/NASA/flag.php

So navigating to: planet=../earth/moon/NASA/flag.php, we get

flag in photo

hashtag
Final Flag

SSS{t0_the_m00n_nd_back}

made by k0d

PreviousSantaNextNobody loves me

Last updated